Ask HN: What do you use for encrypting your personal stuff?
I used to use Truecrypt (file based virtual encrypted disk). But it shut down under mysterious circumstances.
Now there is veracrypt based on the same source code, but I am not sure I trust it. Are there better alternatives? What does everyone use?
86 comments
[ 2.6 ms ] story [ 151 ms ] threadThe VeraCrypt FAQ addresses your concern: https://www.veracrypt.fr/en/FAQ.html
Direct link to audit: https://blog.quarkslab.com/security-assessment-of-veracrypt-...
If you are doing the former, I used to use git-annex[1] for a similar purpose and liked it to keep track of where the encrypted versions of files are stored.
[1]: https://git-annex.branchable.com/
But git annex look nifty! The use case is large file? Correct ?
Depends what you want to encrypt.
It also has some cool features like photo auto upload on mobile.
One thing it specifically lacks though it's FreeBSD support which leaves a huge gap in my personal workflow but it's unlikely to bother all but a handful of people in the world :)
I used to use Boxcryptor so I could have file-by-file encryption and sync directories full of encrypted files to various cloud storage services, but there was a know vulnerability with the way the crypto worked, were updates/changes to previously encrypted files could leak important info (I don't recall if it was cleartext or key hints?). It also had the problem of not encrypting directory names, so an attacker could see that you had a directory named "Plans For Super Secret Volcano Submarine Base" or "Darkweb purchase receipts".
I second this comment. Plus TrueCrypt has passed a serious source code audit. I'm not aware of any on-the-fly encryption system that has had the scrutiny of TrueCrypt. The main issue to be aware of is making certain you download the valid v7.1a source code or binaries. There are plenty of old trustworthy sites that have published the hashes of the source code tarballs or Windows binaries that you should check.
TrueCrypt works for me without any issue on current Linux systems, but I haven't tested it on recent Windows and macOS.
[1]: https://www.aescrypt.com/
You could build something more secure using the hello-world code for Go's Seal/Unseal crypto/ libraries, or Rust's Ring crate.
I encrypt (business related) ssh keys in our company's keepass database file.
Full-disk encryption from your OS vendor (FileVault, LUKS, whatever windows does) will accelerate this process.
I would always be hesitant to disclose what type of crypto you are using, unless I guess you have nothing important. I think veracrypt, 7zip, openssl are good. Probably anything that has been recently audited. Just make sure you are offline when decrypting or encrypting or else it may defeat the purpose.
On Linux, there's LUKS as mentioned already.
So it's only on by default if you shelled dough out for one of those
On Windows I just use the built-in Bitlocker encryption.
It is a bit annoying understanding what this means between Windows Home and Pro editions though.
On Home, it's not technically 'Bitlocker' - it's Device Encryption - hit Windows key & type 'device encryption' - if you see 'Device Encryption Settings', you should have it available. If you do not, it's probably not available on your device e.g. maybe you don't have a TPM, although I've had Windows machines that showed it as not available but then I was able to get it running with a bit of messing around and registry hacking.
It is still Bitlocker under the hood, but it's missing some features. You can get some of them by logging into your machine with a Microsoft account, but if you're running a local account (like I am) you get a more budget experience (e.g. I don't think there's an easy way to get the Bitlocker encryption key or have it backed up online).
If you only want to run local accounts, the easier and probably safer solution is to shell out for Windows Pro and take advantage of the full Bitlocker experience.
It uses envelope encryption with one-time password (OTP) authentication. I like to store data on the systems I own and just run backups regularly.
[1] https://www.tarsnap.com/scrypt.html
Especially convenient when you need to transmit the file over some untrusted medium like email, or if you just want to dump it in some cloud storage service and not worry about potential snooping.
On Linux, I use age[1] (specifically, rage[2]) to encrypt sensitive files. I wrote a secret manager that uses the latter as an encryption backend[3], and I use `rage-mount` to mount (read-only) views of encrypted archives.
[1]: https://github.com/FiloSottile/age
[2]: https://github.com/str4d/rage
[3]: https://github.com/woodruffw/kbs2
At best, they probably just plug it into a black box and that box searches what it can for certain file hashes or names. Encrypted disk and it's game over.
Unless they're specifically looking for your data in particular - then all bets are off.
Not sure what they'd do with most modern laptops that have soldered drives though.
Happy to be corrected.
I believe they often ask for your passwords at the border too. I read that some borders also ask for your social media accounts, not sure if they want passwords for those too.
Would be interesting to set up a honeypot of sorts that records everything they do when they login to your device. Could even activate the camera and mic recording.
It seems unbelievable that it's accepted that they can walk away with your device and login as you and then do whatever they want.
I've seen on border patrol shows the guards going through messages on the phone looking for evidence of an intent to take paid work, etc. But it looks like a pretty surface-level manual search, at least the part they show on TV.
Surely somebody on here has had experience in this from the other side?
What evidence do you have, leaving aside speculation or conjecture? Can you state it any higher than it was possible they copied your hard drive? Is this a routine occurrence where you live?
Well I am pretty sure the personnel liked GP’s laptop colour and just wanted to admire it in privacy. Or maybe lick it as well; and possibly passing around among themselves so that more could lick it.
You didn’t mention the country, should I assume US of A? Or it happens elsewhere as well?
Ever been forced to open the laptop or phone as well?
Communication is pretty much always automatically covered nowadays.
You can have an encrypted folder, put it on Google Drive and then decrypt it from any of your devices. Even iOS will support it natively once you do the setup with the Cryptomator app.
Just look at TLS. Anybody who can sniff a TLS connection can tell exactly what encryption is being used, yet we consider TLS to be quite secure other than potential concerns with PKI.
That said, I'd be slightly surprised if there wasn't metadata on the drive that could be used to determine which brand of disk encryption is in use, but it'd still be worthless. If the knowledge that I'm using X to encrypt my drive actually leads to them decrypting my drive, then X was terrible and never should have been used to begin with.
* If you are attacked by an adversary with access to your hardware they can tell what encryption you are using.
* If you are attacked by an adversary without access to your hardware then knowing what you use doesn't given them any advantage.
On the other hand, telling people they shouldn't provide recommendations for encryption software is just the kind of thing an adversary might do...
My backup hard drive has the Veracrypt installer and a file that ends in .hc. I wonder what setup I'm using? If I went a degree more obtuse and just had a 200GB file consisting of a header and a bunch of cryptographically random data, it wouldn't take the NSA to understand what was going on.
The same applies to Bitlocker/LUKS.
My encryption setup isn't designed to stop state-level actors. It's designed to stop anyone who has access to one of my backups or who steals one of my machines. Bitlocker (with the key backed up to the cloud) and Veracrypt (for offline backups) fit those needs purposely. If a government agent asked me for the key to decrypt my backup drive I would surrender it without a fuss.
Math is funny this way, as it is an all or nothing algorithm... where it is either fully secure or broken beyond repair (sometimes intentionally).
A better question, is who do you trust?
So basically I use the default encryption. When I need to move stuff from one computer to another I encrypt the files individually with GPG (using openPGP keys on smartcard or yubikey)